MITM is the most impactful attack that can be carried out on the network. But at the same time, it is also the most dangerous technique in terms of risks to infrastructure. In this article I will talk about how to spoof during a pentest so as not to break anything along the way and cause a DoS.
warning
The article is for informational purposes only and is intended for security specialists conducting testing under a contract. The author and editors are not responsible for any harm caused by using the information provided. Distribution of malware, disruption of systems and violation of confidentiality of correspondence are prosecuted by law.
Advertisement
Let's start with the theory. I will show you what parameters are needed to correctly conduct MITM. These settings will allow you to avoid unintentional DoS.
Traffic Routing and Promiscuous Mode
A classic of the genre: switch your interface to promiscuous mode and enable routing. Allowing routing is generally a very important setting, since without it, during MITM, traffic from legitimate hosts will hit your OS and will not go further, and this will cause DoS.
sudo ip link set dev eth0 promisc
Advertisement
sudo sysctl -w net.ipv4.ip_forward=1
It will also be useful to disable ICMP Redirect. When conducting MITM, your machine may generate these messages, which will alarm the IDS/IPS sensors.
sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
Switch port capabilities
One way or another, with MITM you will be limited by the capabilities of the switch port. If the switch port has a conditional throughput of 1 Gbit/s, then you cannot jump above this mark. Therefore, it is not recommended to spoof too many hosts.
NAT Helper, masquerading and its side effects
FTP, H.323 and other traffic that does not work well with NAT can pass through you. Module nf_conntrack will help the passage of traffic of the following protocols:
sudo modprobe nf_conntrack
Let's set a NAT rule that will allow us to see not only incoming traffic during MITM, but also outgoing traffic.
sudo iptables -t nat -A POSTROUTING -o eth0 -J MASQUERADE
However, this rule may have a side effect.
One day, my colleague at MITM set up just such a rule. The customer's infrastructure contained Zabbix agents, which he spoofed. And this rule led to the fact that the Zabbix server could no longer reach Zabbix agents, since it essentially spoofs the addresses of legitimate hosts. Of course, networkers were shocked by such a sudden event.
Searching for sensitive data on air
Utilities net-credz And PCredz — the most useful tools for convenient data collection on air. They are usually used to extract passwords, NTLM hashes, SNMP Community strings and other interesting things from traffic.
sudo python2 net-creds -i eth0
sudo python3 ./Pcredz -i eth0
Linux kernel
With MITM, your device must be prepared to handle a large amount of traffic. You can tweak the Linux kernel a little to work optimally with the large amount of traffic that you will receive during network spoofing.
sudo sysctl -w fs.file-max=100000
sudo sysctl -w net.core.somaxconn = 65535
sudo sysctl -w net.core.netdev_max_backlog = 65536
sudo sysctl -w net.ipv4.tcp_fin_timeout=15
sudo sysctl -w net.ipv4.tcp_tw_reuse=1
sudo sysctl -w net.ipv4.tcp_tw_recycle=1
sudo sysctl -w net.ipv4.tcp_max_tw_buckets=65536